Acquisition / Procurement Process
The formal multi-step process by which an organization obtains goods and services from third-party vendors. Procurement ensures that purchases are authorized, budgeted, and documented. The sequence: (1) user request with technical specs, business justification, and budget identification; (2) management approvals; (3) supplier negotiation on price, terms, and licensing; (4) purchase order generation; (5) delivery of goods/services; (6) invoice processing and payment. The process creates an auditable financial trail connecting authorized spending to delivered assets.
Asset Tracking System
A centralized database or platform used to record, manage, and monitor every organizational asset throughout its lifecycle. Stores ownership assignment, classification, physical location, configuration details, maintenance history, and disposal records. Used by IT, finance, help desk, and security teams. Asset tracking provides the visibility needed for vulnerability management, patch deployment, incident response, and compliance reporting. A device not in the asset tracking system is invisible to security operations — it cannot be patched, monitored, or controlled.
Ownership Assignment
The practice of associating each asset with a responsible individual or department in the asset tracking system. Ownership establishes accountability: the assigned owner is responsible for the device's physical security, proper use, and return. It enables efficient support (technicians know who has the device) and security response (if the device is involved in an incident, ownership identifies the starting point for investigation). In BYOD environments, ownership must also record whether the device is organizational or employee-owned, since this affects management rights.
Asset Classification — CapEx vs OpEx
The categorization of assets by type and financial treatment. Hardware (servers, workstations, switches, storage) is typically a capital expenditure (CapEx): a long-term physical asset that depreciates over time, affecting tax liability through depreciation schedules. Software licenses, subscriptions, and cloud services are typically operating expenditures (OpEx): ongoing business expenses that do not depreciate and are taxed as current-period costs. Correct classification matters for financial reporting, tax compliance, and audit accuracy.
Asset Enumeration
The process of documenting the individual components that make up a single asset rather than treating it as a single black-box entry. A workstation is not just one record — enumeration captures CPU model and speed, memory capacity and configuration, storage drive make/model/capacity, peripheral devices, and any installed cards or modules. Enumeration enables precise troubleshooting (which component failed?), accurate replacement ordering, and more detailed security assessments. Also supports help desk ticket pre-population with device specifications before a technician is dispatched.
Asset Tag
A physical identifier attached to a device that links the physical object to its record in the asset tracking system. Common formats: barcodes (scanned with a handheld reader), RFID tags (scanned wirelessly at short range), or visible tracking numbers with organizational identifiers. Serves three functions: rapid inventory scanning (physical audit of all devices in a location), support integration (scan the device to pull up its record in the help desk system), and theft deterrence (a visible tag with the organization's name makes unauthorized removal conspicuous and recovery more likely if lost or stolen).
Media Sanitization
The process of securely removing data from storage media so that it cannot be recovered, prior to reuse, resale, donation, or disposal. Sanitization is a one-way process — properly sanitized data cannot be recovered by any means, including forensic tools. Methods range from logical (secure overwrite utilities that write random data over all sectors) to physical (destruction). The appropriate method depends on the device's next destination: overwrite for reuse, physical destruction for permanent decommission. Standard file system deletion is NOT sanitization — deleted files remain recoverable until their sectors are overwritten.
Secure Overwrite (Logical Sanitization)
A software-based sanitization method that overwrites all sectors of a storage drive with random data (or zeros), preventing recovery of the original data. The drive remains functional after the process and can be reimaged and reused. Standards for overwrite include DoD 5220.22-M (multiple overwrite passes) and NIST SP 800-88 (Guidelines for Media Sanitization). Effective for HDDs. For SSDs, overwrite utilities may not reach data in wear-leveling reserve areas; NIST SP 800-88 recommends cryptographic erase or physical destruction for SSD sanitization.
Degaussing
A physical media destruction technique that uses a powerful electromagnetic field to erase the magnetic data on a hard disk drive (HDD). The magnetic field destroys the data patterns stored on the platters and also erases the servo tracks that control read/write head positioning, rendering the drive mechanically unusable. Critical limitation: degaussing does not work on solid-state drives (SSDs). SSDs store data as electrical charge in flash memory cells, not magnetic patterns. A degausser has no effect on an SSD — the drive may appear unchanged and contain fully readable data after degaussing. Applying degaussing to an SSD is not sanitization.
Physical Destruction Methods
Methods that physically damage or destroy storage media to prevent data recovery. Options in ascending order of assurance: Drilling/hammering — puncture or deform the storage platters (must penetrate the actual platter surface, not just the housing); suitable for small quantities. Shredding/pulverization — industrial machinery reduces drives to small fragments; scalable for large volumes; produces physical evidence of destruction. Degaussing — electromagnetic erasure for HDDs (not SSDs). Incineration — high-temperature destruction, complete elimination; used for classified/highly sensitive media.
Certificate of Destruction
A formal document issued by a third-party media destruction vendor confirming that specific storage devices were destroyed according to defined procedures. A proper certificate includes: serial numbers of destroyed drives (matched against the asset inventory), destruction method used, date and location of destruction, and vendor signature/seal. The certificate creates a paper trail — a chain-of-custody record demonstrating that decommissioned media was properly disposed of. Supports compliance audits (demonstrating that regulated data was destroyed), legal accountability, and insurance claims. A certificate listing individual serial numbers provides much stronger assurance than a generic quantity-based confirmation.
Data Retention Policy
An organizational policy defining how long each category of data must be retained, where it is stored during the retention period, and how it is deleted when the retention period ends. Driven by three factors: (1) regulatory compliance — mandatory retention periods for specific data types (HIPAA for healthcare records, SOX for financial records, SEC rules for trading records); (2) operational needs — backup windows for accidental deletion recovery and disaster recovery capability; (3) data type differentiation — different categories require different retention periods. Data retained longer than necessary creates storage costs and unnecessary breach exposure; data deleted too soon creates compliance violations and recovery failures.